Nintendo admitted that around 160,000 accounts have been
compromised through the Nintendo Network ID (NNID) system. The company
announced that the NNID system was disabled, at least for now.
Reports surfaced
in the past few weeks about a possible data leak directly affecting Nintendo
users. People started to notice unlawful logins into their accounts, with some
users accusing various illegal purchases. Nintendo remained quiet for a while,
but the company now admits
that some users were affected.
The Nintendo Network ID is a legacy system dating back
from the Wii U and Nintendo 3DS days but which was adapted to be used as a
login for more recent devices. Nintendo also started to use a few features
called Nintendo Account for Switch users, but if people already had an NNID
account, they could use that.
The data affected by the leak includes the nickname, date
of birth, country, region, email address, and gender.
For now, Nintendo temporarily disabled the NNID login
function and issued a reset for all NNIDs and Nintendo accounts that may have
been illegally logged in. The company also promised to send emails to all the
people affected and to change their passwords as soon as possible.
Users have been asked to choose a unique and robots
password that hasn’t been used anywhere else, and to enable two-factor
authentication. Subsequently, it’s a good idea to check the credit card balance
of the PayPal account for any unlawful transactions.
The source of the leak is unknown, and Nintendo has yet
to expand on this issue. It could very well be a credential stuffing attack,
which means that hackers tried user names and passwords from other data
breaches. Many users use the same credentials on multiple online services,
which means that once the credentials were exposed, all of their online
accounts are compromised.